To some, metrics are the holy grail of information security. Being able to monitor, measure and communicate the...
information security state of an enterprise can be powerful.
While some enterprises are still struggling with all of the metrics and the changing landscape of tools and processes used as data sources, one rapidly maturing area is security operations centers, where defining metrics has been a challenge.
In this tip, we'll take a closer look at security operation center (SOC) metrics and ways to improve an enterprise's security posture.
Once enterprises realized that just looking at log data from their IT environment was insufficient, network operations centers evolved and dedicated security operations centers formed. Security operation centers can handle many different functions, like monitoring logs, responding to incidents and security administration, all coordinated via people, processes and technology.
Many SOCs evolved from the enterprise SIEM systems used to monitor environments and the people who monitor the logs. Managed security service providers and cloud services companies have been created to provide this service to enterprises or to supplement an enterprise's internal resources.
As SOCs mature, analytics and decision support are being included to drive more value for enterprises and to provide insight into how effectively security resources are being used. As SOCs continue to mature, the need for metrics and their supporting definitions is becoming more important, as is using the metrics to make changes and monitor the environment. Even defining what constitutes an incident is important, as not all security incidents have the same impact or require the same response.
There are several resources enterprises can use to learn more about security metrics, starting with the seminal book Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith. The Center for Internet Security, a nonprofit organization whose mission is to promote cybersecurity, also provides some guidance on security metrics. The SANS Institute offers several papers related to SOC metrics, and the NIST hosts the National Vulnerability Database, which provides metrics for tracked vulnerabilities.
As your enterprise determines your SOC metrics, you may also want to review the resources from the SANS Security Operations Summit from July 2018 and the SANS webcasts about their SOC survey.
When developing SOC metrics, identifying the highest value processes or areas that need the most resources can help identify where metrics and management attention may be needed the most. This can be part of continuous improvement and shouldn't be limited to how your SIEM or any particular tool is licensed or can be used.
With an outsourced SOC, it may be critical to set these metrics upfront and include them in a contract to ensure that the SOC can generate the data and support the required metrics.
Ways to improve an enterprise's security posture
The metrics for your enterprise will vary depending on the tools you use, the scope of your environment and your information security program. However, basic security controls can be mapped to the tools and processes to identify the potential metrics to use.
Monitoring firewall alerts or failed logins alone may be useful if there is a sudden increase, and retaining that data for incident response is absolutely necessary. However, monitoring over time may not yield actionable information without correlation and analysis. For scoping, if you monitor firewall alerts in multiple locations in the network, then it may not be useful to report on a raw number of alerts because a network flow may generate multiple alerts or logs and only get blocked at one point.
Knowing what is included or excluded from monitoring with an SOC is something to be clear about. For example, if you have remote offices that occasionally have local servers, and those servers are not monitored by the SOC, then the metrics may not reflect all the servers in your environment.
Securosis, a cloud security company headquartered in Phoenix, Ariz., recommends focusing on use case categories such as security alerts, forensics, and response and compliance reporting. Each of these categories can be broken down into more detailed metrics, as well as the corresponding data sources or tools used to generate the metrics in the SOC.
Many SOCs monitor endpoint security tool logs and respond when high-risk malware is detected, so a metric could be built around those processes. Data generated in this process can be used to determine the costs required -- in terms of resources, as well as any financial costs -- to respond to an incident and how effective the response can be.
You can track elapsed time at different steps in the process, starting from when the alert is generated, when an analyst begins investigating and when the analyst determines an incident actually began -- if it's different from the initial alert time -- to when the system is clean. Measuring each step can be useful to evaluate how effective each step in the process is and to potentially evaluate if changes need to be made to a process -- while keeping in mind that gathering this data requires additional resources.
Of course, the process becomes more complicated when multiple systems are included in a single incident or when sensitive data is involved. Having an analyst validate when an incident began should be part of checking the effectiveness of an endpoint security tool.
Measuring the effectiveness of such a tool must take in all the aspects of its performance. For example, consider how long it takes to determine if something malicious happened, if the tool is able to capture the start of an incident and the detection time, or if a different tool detected the incident. These factors could signal a need to study the tool's effectiveness, configuration or usage to ensure the protection of your enterprise.
This metric can also be rolled up into incidents per analyst, incidents per machine or incidents per scope and analyzed over time. Similarly, tracking the time to recover a system from a malware attack can be analyzed to determine whether it is more cost-effective to use an automated reinstall or restore from a backup or a known-good state rather than manually cleaning an infected system.
Information security is rapidly changing, and it is continuing to evolve to drive more value for enterprises. As SOCs also continue to evolve, their importance to the enterprise is increasing and helping to drive more improvements to enterprise information security programs and improve the security posture of companies.
However, these improvements will require enterprises to use data gathered from SOCs to create the metrics that will drive this change. While this data will differ based on the tools and the scope, focusing on the highest value systems or processes can provide a starting point that can extend to the rest of the enterprise.